src/libpolarssl/entropy.c

   1 /*
   2  *  Entropy accumulator implementation
   3  *
   4  *  Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
   5  *
   6  *  This file is part of mbed TLS (https://tls.mbed.org)
   7  *
   8  *  This program is free software; you can redistribute it and/or modify
   9  *  it under the terms of the GNU General Public License as published by
  10  *  the Free Software Foundation; either version 2 of the License, or
  11  *  (at your option) any later version.
  12  *
  13  *  This program is distributed in the hope that it will be useful,
  14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *  GNU General Public License for more details.
  17  *
  18  *  You should have received a copy of the GNU General Public License along
  19  *  with this program; if not, write to the Free Software Foundation, Inc.,
  20  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22
  23 #if !defined(POLARSSL_CONFIG_FILE)
  24 #include "polarssl/config.h"
  25 #else
  26 #include POLARSSL_CONFIG_FILE
  27 #endif
  28
  29 #if defined(POLARSSL_ENTROPY_C)
  30
  31 #include "polarssl/entropy.h"
  32 #include "polarssl/entropy_poll.h"
  33
  34 #include <string.h>
  35
  36 #if defined(POLARSSL_FS_IO)
  37 #include <stdio.h>
  38 #endif
  39
  40 #if defined(POLARSSL_SELF_TEST)
  41 #if defined(POLARSSL_PLATFORM_C)
  42 #include "polarssl/platform.h"
  43 #else
  44 #include <stdio.h>
  45 #define polarssl_printf     printf
  46 #endif /* POLARSSL_PLATFORM_C */
  47 #endif /* POLARSSL_SELF_TEST */
  48
  49 #if defined(POLARSSL_HAVEGE_C)
  50 #include "polarssl/havege.h"
  51 #endif
  52
  53 /* Implementation that should never be optimized out by the compiler */
  54 static void polarssl_zeroize( void *v, size_t n ) {
  55     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
  56 }
  57
  58 #define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
  59
  60 void entropy_init( entropy_context *ctx )
  61 {
  62     memset( ctx, 0, sizeof(entropy_context) );
  63
  64 #if defined(POLARSSL_THREADING_C)
  65     polarssl_mutex_init( &ctx->mutex );
  66 #endif
  67
  68 #if defined(POLARSSL_ENTROPY_SHA512_ACCUMULATOR)
  69     sha512_starts( &ctx->accumulator, 0 );
  70 #else
  71     sha256_starts( &ctx->accumulator, 0 );
  72 #endif
  73 #if defined(POLARSSL_HAVEGE_C)
  74     havege_init( &ctx->havege_data );
  75 #endif
  76
  77 #if !defined(POLARSSL_NO_DEFAULT_ENTROPY_SOURCES)
  78 #if !defined(POLARSSL_NO_PLATFORM_ENTROPY)
  79     entropy_add_source( ctx, platform_entropy_poll, NULL,
  80                         ENTROPY_MIN_PLATFORM );
  81 #endif
  82 #if defined(POLARSSL_TIMING_C)
  83     entropy_add_source( ctx, hardclock_poll, NULL, ENTROPY_MIN_HARDCLOCK );
  84 #endif
  85 #if defined(POLARSSL_HAVEGE_C)
  86     entropy_add_source( ctx, havege_poll, &ctx->havege_data,
  87                         ENTROPY_MIN_HAVEGE );
  88 #endif
  89 #endif /* POLARSSL_NO_DEFAULT_ENTROPY_SOURCES */
  90 }
  91
  92 void entropy_free( entropy_context *ctx )
  93 {
  94 #if defined(POLARSSL_HAVEGE_C)
  95     havege_free( &ctx->havege_data );
  96 #endif
  97 #if defined(POLARSSL_THREADING_C)
  98     polarssl_mutex_free( &ctx->mutex );
  99 #endif
 100     polarssl_zeroize( ctx, sizeof( entropy_context ) );
 101 }
 102
 103 int entropy_add_source( entropy_context *ctx,
 104                         f_source_ptr f_source, void *p_source,
 105                         size_t threshold )
 106 {
 107     int index, ret = 0;
 108
 109 #if defined(POLARSSL_THREADING_C)
 110     if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
 111         return( ret );
 112 #endif
 113
 114     index = ctx->source_count;
 115     if( index >= ENTROPY_MAX_SOURCES )
 116     {
 117         ret = POLARSSL_ERR_ENTROPY_MAX_SOURCES;
 118         goto exit;
 119     }
 120
 121     ctx->source[index].f_source = f_source;
 122     ctx->source[index].p_source = p_source;
 123     ctx->source[index].threshold = threshold;
 124
 125     ctx->source_count++;
 126
 127 exit:
 128 #if defined(POLARSSL_THREADING_C)
 129     if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
 130         return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
 131 #endif
 132
 133     return( ret );
 134 }
 135
 136 /*
 137  * Entropy accumulator update
 138  */
 139 static int entropy_update( entropy_context *ctx, unsigned char source_id,
 140                            const unsigned char *data, size_t len )
 141 {
 142     unsigned char header[2];
 143     unsigned char tmp[ENTROPY_BLOCK_SIZE];
 144     size_t use_len = len;
 145     const unsigned char *p = data;
 146
 147     if( use_len > ENTROPY_BLOCK_SIZE )
 148     {
 149 #if defined(POLARSSL_ENTROPY_SHA512_ACCUMULATOR)
 150         sha512( data, len, tmp, 0 );
 151 #else
 152         sha256( data, len, tmp, 0 );
 153 #endif
 154         p = tmp;
 155         use_len = ENTROPY_BLOCK_SIZE;
 156     }
 157
 158     header[0] = source_id;
 159     header[1] = use_len & 0xFF;
 160
 161 #if defined(POLARSSL_ENTROPY_SHA512_ACCUMULATOR)
 162     sha512_update( &ctx->accumulator, header, 2 );
 163     sha512_update( &ctx->accumulator, p, use_len );
 164 #else
 165     sha256_update( &ctx->accumulator, header, 2 );
 166     sha256_update( &ctx->accumulator, p, use_len );
 167 #endif
 168
 169     return( 0 );
 170 }
 171
 172 int entropy_update_manual( entropy_context *ctx,
 173                            const unsigned char *data, size_t len )
 174 {
 175     int ret;
 176
 177 #if defined(POLARSSL_THREADING_C)
 178     if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
 179         return( ret );
 180 #endif
 181
 182     ret = entropy_update( ctx, ENTROPY_SOURCE_MANUAL, data, len );
 183
 184 #if defined(POLARSSL_THREADING_C)
 185     if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
 186         return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
 187 #endif
 188
 189     return( ret );
 190 }
 191
 192 /*
 193  * Run through the different sources to add entropy to our accumulator
 194  */
 195 static int entropy_gather_internal( entropy_context *ctx )
 196 {
 197     int ret, i;
 198     unsigned char buf[ENTROPY_MAX_GATHER];
 199     size_t olen;
 200
 201     if( ctx->source_count == 0 )
 202         return( POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED );
 203
 204     /*
 205      * Run through our entropy sources
 206      */
 207     for( i = 0; i < ctx->source_count; i++ )
 208     {
 209         olen = 0;
 210         if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
 211                         buf, ENTROPY_MAX_GATHER, &olen ) ) != 0 )
 212         {
 213             return( ret );
 214         }
 215
 216         /*
 217          * Add if we actually gathered something
 218          */
 219         if( olen > 0 )
 220         {
 221             entropy_update( ctx, (unsigned char) i, buf, olen );
 222             ctx->source[i].size += olen;
 223         }
 224     }
 225
 226     return( 0 );
 227 }
 228
 229 /*
 230  * Thread-safe wrapper for entropy_gather_internal()
 231  */
 232 int entropy_gather( entropy_context *ctx )
 233 {
 234     int ret;
 235
 236 #if defined(POLARSSL_THREADING_C)
 237     if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
 238         return( ret );
 239 #endif
 240
 241     ret = entropy_gather_internal( ctx );
 242
 243 #if defined(POLARSSL_THREADING_C)
 244     if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
 245         return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
 246 #endif
 247
 248     return( ret );
 249 }
 250
 251 int entropy_func( void *data, unsigned char *output, size_t len )
 252 {
 253     int ret, count = 0, i, reached;
 254     entropy_context *ctx = (entropy_context *) data;
 255     unsigned char buf[ENTROPY_BLOCK_SIZE];
 256
 257     if( len > ENTROPY_BLOCK_SIZE )
 258         return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
 259
 260 #if defined(POLARSSL_THREADING_C)
 261     if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
 262         return( ret );
 263 #endif
 264
 265     /*
 266      * Always gather extra entropy before a call
 267      */
 268     do
 269     {
 270         if( count++ > ENTROPY_MAX_LOOP )
 271         {
 272             ret = POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
 273             goto exit;
 274         }
 275
 276         if( ( ret = entropy_gather_internal( ctx ) ) != 0 )
 277             goto exit;
 278
 279         reached = 0;
 280
 281         for( i = 0; i < ctx->source_count; i++ )
 282             if( ctx->source[i].size >= ctx->source[i].threshold )
 283                 reached++;
 284     }
 285     while( reached != ctx->source_count );
 286
 287     memset( buf, 0, ENTROPY_BLOCK_SIZE );
 288
 289 #if defined(POLARSSL_ENTROPY_SHA512_ACCUMULATOR)
 290     sha512_finish( &ctx->accumulator, buf );
 291
 292     /*
 293      * Reset accumulator and counters and recycle existing entropy
 294      */
 295     memset( &ctx->accumulator, 0, sizeof( sha512_context ) );
 296     sha512_starts( &ctx->accumulator, 0 );
 297     sha512_update( &ctx->accumulator, buf, ENTROPY_BLOCK_SIZE );
 298
 299     /*
 300      * Perform second SHA-512 on entropy
 301      */
 302     sha512( buf, ENTROPY_BLOCK_SIZE, buf, 0 );
 303 #else /* POLARSSL_ENTROPY_SHA512_ACCUMULATOR */
 304     sha256_finish( &ctx->accumulator, buf );
 305
 306     /*
 307      * Reset accumulator and counters and recycle existing entropy
 308      */
 309     memset( &ctx->accumulator, 0, sizeof( sha256_context ) );
 310     sha256_starts( &ctx->accumulator, 0 );
 311     sha256_update( &ctx->accumulator, buf, ENTROPY_BLOCK_SIZE );
 312
 313     /*
 314      * Perform second SHA-256 on entropy
 315      */
 316     sha256( buf, ENTROPY_BLOCK_SIZE, buf, 0 );
 317 #endif /* POLARSSL_ENTROPY_SHA512_ACCUMULATOR */
 318
 319     for( i = 0; i < ctx->source_count; i++ )
 320         ctx->source[i].size = 0;
 321
 322     memcpy( output, buf, len );
 323
 324     ret = 0;
 325
 326 exit:
 327 #if defined(POLARSSL_THREADING_C)
 328     if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
 329         return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
 330 #endif
 331
 332     return( ret );
 333 }
 334
 335 #if defined(POLARSSL_FS_IO)
 336 int entropy_write_seed_file( entropy_context *ctx, const char *path )
 337 {
 338     int ret = POLARSSL_ERR_ENTROPY_FILE_IO_ERROR;
 339     FILE *f;
 340     unsigned char buf[ENTROPY_BLOCK_SIZE];
 341
 342     if( ( f = fopen( path, "wb" ) ) == NULL )
 343         return( POLARSSL_ERR_ENTROPY_FILE_IO_ERROR );
 344
 345     if( ( ret = entropy_func( ctx, buf, ENTROPY_BLOCK_SIZE ) ) != 0 )
 346         goto exit;
 347
 348     if( fwrite( buf, 1, ENTROPY_BLOCK_SIZE, f ) != ENTROPY_BLOCK_SIZE )
 349     {
 350         ret = POLARSSL_ERR_ENTROPY_FILE_IO_ERROR;
 351         goto exit;
 352     }
 353
 354     ret = 0;
 355
 356 exit:
 357     fclose( f );
 358     return( ret );
 359 }
 360
 361 int entropy_update_seed_file( entropy_context *ctx, const char *path )
 362 {
 363     FILE *f;
 364     size_t n;
 365     unsigned char buf[ ENTROPY_MAX_SEED_SIZE ];
 366
 367     if( ( f = fopen( path, "rb" ) ) == NULL )
 368         return( POLARSSL_ERR_ENTROPY_FILE_IO_ERROR );
 369
 370     fseek( f, 0, SEEK_END );
 371     n = (size_t) ftell( f );
 372     fseek( f, 0, SEEK_SET );
 373
 374     if( n > ENTROPY_MAX_SEED_SIZE )
 375         n = ENTROPY_MAX_SEED_SIZE;
 376
 377     if( fread( buf, 1, n, f ) != n )
 378     {
 379         fclose( f );
 380         return( POLARSSL_ERR_ENTROPY_FILE_IO_ERROR );
 381     }
 382
 383     fclose( f );
 384
 385     entropy_update_manual( ctx, buf, n );
 386
 387     return( entropy_write_seed_file( ctx, path ) );
 388 }
 389 #endif /* POLARSSL_FS_IO */
 390
 391 #if defined(POLARSSL_SELF_TEST)
 392 /*
 393  * Dummy source function
 394  */
 395 static int entropy_dummy_source( void *data, unsigned char *output,
 396                                  size_t len, size_t *olen )
 397 {
 398     ((void) data);
 399
 400     memset( output, 0x2a, len );
 401     *olen = len;
 402
 403     return( 0 );
 404 }
 405
 406 /*
 407  * The actual entropy quality is hard to test, but we can at least
 408  * test that the functions don't cause errors and write the correct
 409  * amount of data to buffers.
 410  */
 411 int entropy_self_test( int verbose )
 412 {
 413     int ret = 0;
 414     entropy_context ctx;
 415     unsigned char buf[ENTROPY_BLOCK_SIZE] = { 0 };
 416     unsigned char acc[ENTROPY_BLOCK_SIZE] = { 0 };
 417     size_t i, j;
 418
 419     if( verbose != 0 )
 420         polarssl_printf( "  ENTROPY test: " );
 421
 422     entropy_init( &ctx );
 423
 424     ret = entropy_add_source( &ctx, entropy_dummy_source, NULL, 16 );
 425     if( ret != 0 )
 426         goto cleanup;
 427
 428     if( ( ret = entropy_gather( &ctx ) ) != 0 )
 429         goto cleanup;
 430
 431     if( ( ret = entropy_update_manual( &ctx, buf, sizeof buf ) ) != 0 )
 432         goto cleanup;
 433
 434     /*
 435      * To test that entropy_func writes correct number of bytes:
 436      * - use the whole buffer and rely on ASan to detect overruns
 437      * - collect entropy 8 times and OR the result in an accumulator:
 438      *   any byte should then be 0 with probably 2^(-64), so requiring
 439      *   each of the 32 or 64 bytes to be non-zero has a false failure rate
 440      *   of at most 2^(-58) which is acceptable.
 441      */
 442     for( i = 0; i < 8; i++ )
 443     {
 444         if( ( ret = entropy_func( &ctx, buf, sizeof( buf ) ) ) != 0 )
 445             goto cleanup;
 446
 447         for( j = 0; j < sizeof( buf ); j++ )
 448             acc[j] |= buf[j];
 449     }
 450
 451     for( j = 0; j < sizeof( buf ); j++ )
 452     {
 453         if( acc[j] == 0 )
 454         {
 455             ret = 1;
 456             goto cleanup;
 457         }
 458     }
 459
 460 cleanup:
 461     entropy_free( &ctx );
 462
 463     if( verbose != 0 )
 464     {
 465         if( ret != 0 )
 466             polarssl_printf( "failed\n" );
 467         else
 468             polarssl_printf( "passed\n" );
 469
 470         polarssl_printf( "\n" );
 471     }
 472
 473     return( ret != 0 );
 474 }
 475 #endif /* POLARSSL_SELF_TEST */
 476
 477 #endif /* POLARSSL_ENTROPY_C */